CVE-2025-67124

Name of the Vulnerable Software and Affected Versions miniserve version 0.32.0

Description A time-of-check to time-of-use (TOCTOU) and symlink race condition exists in miniserve when uploads are enabled. This can allow an attacker to overwrite arbitrary files outside the intended upload directory in deployments where the attacker can create or replace filesystem entries in the upload destination directory. The issue occurs during upload finalization.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling uploads until a patch is available.